>Number: 1324 >Category: mod_access >Synopsis: encrypted passwords are not read correctly. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Oct 27 18:50:00 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 >Environment: HP-UX 10.20 and Linux on Intel and Alpha and Sparc platforms >Description: In the documentation you point out that the passwd file for the AuthUserFile directive can have the following structure:
username:passwd[: ignored] However if the : or anything follows on the line, the password is returned invalid when you try and login to a secured area via the web. For example if the file had: andrew:xzzxczcc:Andrew Whyte test:v,mn324234 Then the top line would not work, but the bottom line will work perfectly. I have noticed this bug in every version of Apache, and on every platform I have tested which include: Linux (1.0.x - 2.1.x) - Intel (RedHAt, Slackware, Debian) Linux 1.2.30 - Alpha (RedHAt) Linux 1.2.30 - Sparc (RedHat) Digital Unix ver 4.0[a,b,c] - Alpha Dec Ultrix - DECStation 3000 & 5000 's HP-UX B.10.20 ( HP 9000-D230 ) It is really a cosmetic bug, but the simple point is, I would like to be able to store extra info in the file for other tasks and this makes it impossible. Also, it makes using the Unix system passwd file impossible, not that anyone should be using it, but thats not the point. Would really like to see such a small problem fixed somewhere in the future.. Cheers, Andrew >How-To-Repeat: >Fix: I don't know enough C/C++ programming or I could do it myself, but all that needs to happen is instead of reading the encrypted passwd from the begining of the second field in the file to the end of the line, you read it up until you hit another colon. I can follow the code you use to read in the encrypted password and this is exactly what it does, it reads the entire line, so it treats the excess data as part of the passwd string. %0 >Audit-Trail: >Unformatted:
